"Flash Player versions 12.0.0.43 and earlier are vulnerable," Feng said. "We analysed how these attacks work and found the following details. The malicious file has been distributed as a .swf file, which contains: The vulnerability trigger, Shellcode, a PE file (encrypted)."

Feng said that the .swf file can be hosted on a web server and run when the webpage is visited, and when the .swf is loaded, the vulnerability is triggered.

"The .swf successfully bypasses the validation of memory range and is able to access an arbitrary location. It overwrites a pointer in a VTABLE to successfully pass control to a controlled location," fend explained.

"The controlled location starts with stack pivot ROP gadgets built from a Flash Player DLL. The ROP gadgets call VirtualProtect() to make the shellcode memory region executable. Finally, the control is passed to the shellcode via a jmp esp instruction."

TWC said that the exploit works across multiple Flash Player versions and in its testing, it was able to reproduce the attack in Adobe Flash Player versions 11.6.602.171, 11.6.602.180, 11.7.700.169, 11.7.700.202, 11.7.700.224, 11.8.800.94, 11.8.800.168, 11.8.800.175, 11.9.900.117, 11.9.900.152 and 11.9.900.170.

Versions 12.0.0.43 and earlier are known to contain the vulnerability used by the attack, but 12.0.0.43 also includes a mitigation that prevents building the ROP gadget from the Flash Player DLL. "The sample we analysed does not support version 12.x for this reason," Feng added.

Microsoft TWC recommended that if you're using Flash Player version 12.0.0.43 or earlier, you should update Flash Player now to be protected against these attacks. µ